Notable decentralized cryptocurrency exchange Curve Finance was compromised earlier this week, as threat actors were able to effectively “clone” curve.fi and send user traffic to its fake crypto-exchange site.
“This marks yet another instance where web3 projects are compromised through vulnerabilities in the web2 infrastructures they rely on,” said CertiK co-founder and CEO Ronghui Gu.
“While there will always be some relationship between web2 and web3 systems, building the necessary security control points in web2, as well as resolving the vulnerabilities that hamper this relationship, is a vital step in securing the web3 ecosystem.”
At least $770,000 was stolen from Curve Finance users, who were directed to a false copy of the Curve site and then told to sign off on a contract (which can from the bad actors) that then was able to lift funds from the Curve Finance users’ online wallets.
For its part, Curve Finance issued a statement to users over messaging platform Telegram, where it alerted them to the potential security threats they could face. Curve Finance also encouraged users to “revoke” any contract agreements in which they may have engaged, and simply use the curve.exchange domain until the propagation for curve.fi righted itself.
“As their name suggests, cross-chain bridges are an attempt to facilitate the exchange of crypto assets between differing chains,” Gu said. To achieve this, they must combine multiple structures such as custodian, debt issuer and an "oracle."
“This makes cross-chain bridges somewhat vulnerable as there are multiple attack avenues for would-be hackers to exploit,” Gu said. “Cross-chain bridges have clearly addressed a real need in the web3 community, and consequently, they hold a huge amount of value. These structural vulnerabilities, in conjunction with the amount of assets available, make them an extremely enticing target for hackers.”
Adrien Gendre, chief technology and product officer at Vade, said that very much like online bank accounts, “crypto exchanges are irresistible targets because it is a quick win for hackers — they can simply transfer funds or unload the crypto in an instant.”
“Other types of attacks require more work and more time to achieve the final goal,” Gendre added. “We are seeing more and more of this, and this can be very difficult to detect.”